0970c65085942cac294377272eadf9a2facf73f5f16bb6986062bbff22a1455c

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64d71d6cb8041fbb44975daa669ed125.exe
Size

4.8MB
MD5

64d71d6cb8041fbb44975daa669ed125
SHA1

c08dabc7e47c9bd4c950b4b37e1cb09cb264f9c7
SHA256

0970c65085942cac294377272eadf9a2facf73f5f16bb6986062bbff22a1455c
SHA512

e3f32899b25d269ffbf2e75e400d6fa785cfc7efce827a16a2b1f563318424eb6cac1b643500756167a816869d2df6240ab23ae95fc77be3cb7c9b2ad9e36d08
SSDEEP

98304:2agnJlfqwra+MAZp5HxBIITBQmg0kgwJjMTciS64qSPdq0fPW2spuro:2Rff2+M+BI6QWkgIScUX23k

Score

7^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 12 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023112-21.dat	acprotect
behavioral2/files/0x0006000000023104-27.dat	acprotect
behavioral2/files/0x000600000002310f-29.dat	acprotect
behavioral2/files/0x000600000002310b-33.dat	acprotect
behavioral2/files/0x0006000000023113-36.dat	acprotect
behavioral2/files/0x0006000000023106-39.dat	acprotect
behavioral2/files/0x000600000002310e-41.dat	acprotect
behavioral2/files/0x000600000002310c-45.dat	acprotect
behavioral2/files/0x0006000000023110-47.dat	acprotect
behavioral2/files/0x0007000000023100-51.dat	acprotect
behavioral2/files/0x0006000000023107-53.dat	acprotect
behavioral2/files/0x0006000000023114-58.dat	acprotect

Loads dropped DLL 13 IoCs

pid	Process
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe
3232	64d71d6cb8041fbb44975daa669ed125.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023112-21.dat	upx
behavioral2/memory/3232-23-0x0000000075570000-0x000000007598E000-memory.dmp	upx
behavioral2/files/0x0006000000023104-27.dat	upx
behavioral2/memory/3232-30-0x00000000754B0000-0x00000000754D3000-memory.dmp	upx
behavioral2/files/0x000600000002310f-29.dat	upx
behavioral2/memory/3232-32-0x00000000754A0000-0x00000000754AC000-memory.dmp	upx
behavioral2/files/0x000600000002310b-33.dat	upx
behavioral2/memory/3232-35-0x0000000075480000-0x0000000075496000-memory.dmp	upx
behavioral2/files/0x0006000000023113-36.dat	upx
behavioral2/memory/3232-38-0x0000000075430000-0x000000007543C000-memory.dmp	upx
behavioral2/files/0x0006000000023106-39.dat	upx
behavioral2/memory/3232-42-0x0000000075420000-0x000000007542F000-memory.dmp	upx
behavioral2/files/0x000600000002310e-41.dat	upx
behavioral2/memory/3232-44-0x00000000751C0000-0x0000000075412000-memory.dmp	upx
behavioral2/files/0x000600000002310c-45.dat	upx
behavioral2/memory/3232-48-0x0000000075190000-0x00000000751BB000-memory.dmp	upx
behavioral2/files/0x0006000000023110-47.dat	upx
behavioral2/memory/3232-50-0x00000000750F0000-0x0000000075181000-memory.dmp	upx
behavioral2/files/0x0007000000023100-51.dat	upx
behavioral2/memory/3232-54-0x00000000750D0000-0x00000000750E9000-memory.dmp	upx
behavioral2/files/0x0006000000023107-53.dat	upx
behavioral2/memory/3232-56-0x0000000075570000-0x000000007598E000-memory.dmp	upx
behavioral2/memory/3232-57-0x00000000750A0000-0x00000000750CB000-memory.dmp	upx
behavioral2/files/0x0006000000023114-58.dat	upx
behavioral2/memory/3232-60-0x00000000754B0000-0x00000000754D3000-memory.dmp	upx
behavioral2/memory/3232-61-0x0000000074F80000-0x000000007508F000-memory.dmp	upx
behavioral2/memory/3232-62-0x0000000075570000-0x000000007598E000-memory.dmp	upx
behavioral2/memory/3232-63-0x00000000754B0000-0x00000000754D3000-memory.dmp	upx
behavioral2/memory/3232-64-0x00000000754A0000-0x00000000754AC000-memory.dmp	upx
behavioral2/memory/3232-65-0x0000000075480000-0x0000000075496000-memory.dmp	upx
behavioral2/memory/3232-68-0x00000000751C0000-0x0000000075412000-memory.dmp	upx
behavioral2/memory/3232-67-0x0000000075420000-0x000000007542F000-memory.dmp	upx
behavioral2/memory/3232-66-0x0000000075430000-0x000000007543C000-memory.dmp	upx
behavioral2/memory/3232-69-0x0000000075190000-0x00000000751BB000-memory.dmp	upx
behavioral2/memory/3232-70-0x00000000750F0000-0x0000000075181000-memory.dmp	upx
behavioral2/memory/3232-71-0x00000000750D0000-0x00000000750E9000-memory.dmp	upx
behavioral2/memory/3232-72-0x00000000750A0000-0x00000000750CB000-memory.dmp	upx
behavioral2/memory/3232-73-0x0000000074F80000-0x000000007508F000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
8	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3232	2080	64d71d6cb8041fbb44975daa669ed125.exe	90
PID 2080 wrote to memory of 3232	2080	64d71d6cb8041fbb44975daa669ed125.exe	90
PID 2080 wrote to memory of 3232	2080	64d71d6cb8041fbb44975daa669ed125.exe	90

C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe
"C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe
  "C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"
  2⤵
  - Loads dropped DLL
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20802\VCRUNTIME140.dll

Filesize
81KB

MD5
2ebf45da71bd8ef910a7ece7e4647173

SHA1
4ecc9c2d4abe2180d345f72c65758ef4791d6f06

SHA256
cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

SHA512
a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\_bz2.pyd

Filesize
42KB

MD5
09c52add7abd44eded770115352f2f41

SHA1
48f44e158bdf2f6a1329fac4df96dc18aa84a88f

SHA256
9255d3f6217ba0e7ad4be558798764ccf6a796b143c6e12ef639692f5198558f

SHA512
ed97478c35b495598ea0e2a9ec35fa75a3cc2ae68abbf74f768d90d5e4b7b637f716c865e4d5a2c8c3b217696598a12abf748c64395d5517c765bb2e2ff52af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\_ctypes.pyd

Filesize
50KB

MD5
f63b6453662fd08af9c442a0bbb85308

SHA1
81721fbd1579a6af44677ed1573d7c5f1ed7ec7e

SHA256
b88ff4a52a6d3529f7d36dfd530bfd206ebf2ac7c171f7d06f9cc3345a57209e

SHA512
1edb1fa0106f7651b34e9e89a2a3f0a27ff0d0f456ba63b4ee3e65d2db073144c792369219e45afb50febd23d80020320aa1d4b37b2d790e839ee70ec13b2ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\_hashlib.pyd

Filesize
23KB

MD5
8268a89d1d90fdd9a747fea7f1ccbc20

SHA1
1fcb3558e6577a289dac4114c0223156087c77eb

SHA256
7e30c7a03c4df99bbb1d316409ee0aec698c56fc7f87ff6b0f6185173692a525

SHA512
0db082b4a11ab410601fbc165de719853ebadfa140e597f07d3d562db4d5bd44f5af1ed185a866588935a8d49afd7440fee7f51e038bea639153d8bf41e97ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\_lzma.pyd

Filesize
79KB

MD5
c06a1015d4bceaaabe9b8e8fa9c5590b

SHA1
52b802ac7e6723a2c668f173bb217bb085810d6d

SHA256
bb92c27f5bcdebe81ad2f6404552690349c909d7af460bd7067479cba6881ea7

SHA512
7f12fb2747a9dc73f2719f7e1deb45c0ae482c7ef406d76cdcbd25357b97374405115f21efb79c23ed3976d4fb2067d44773dc7313f63b78d3bd0d41037f3173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\_socket.pyd

Filesize
34KB

MD5
cedd8543545b42279837d0b08c39363b

SHA1
6d593892d452723ba54a2970463537fc33979bed

SHA256
5bb719c09e9c2bb8f6fa9a3b6ff0a932f9291a6263d621b8a96201e9b895260a

SHA512
94a306725417660ea9e3eb9c40bad04140ef22f09a3844ddc4024b1464dd02e2c1fdebddeddb1ba7f215c51b2538690ded1dc374c1fd0c6f1024b45728549046

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\_ssl.pyd

Filesize
53KB

MD5
a868bcaa557f6b6093eb4f60e4569c42

SHA1
8654b06e306312becffac03a2fd09deb34dc13d3

SHA256
1289aa6c9244f3832f2953bf5bf5e43d7a258557113aba16e53909773875ec77

SHA512
94c3e55d516d1c846e970774474669ac581e199b231182f579cbed8276f45096960bc67ff30aa2ddc58e775f1d8ff646083ab9371a3077bc3db52318193f4000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\base_library.zip

Filesize
759KB

MD5
5b9dbac77705ebeafb101b3f9b0fb50f

SHA1
6bb77af71ea5a2059d77779334674462fe7419df

SHA256
db13fc22122682b641e2f3eb1ff402255136fb27edabf0d6a317ae090730f570

SHA512
1ee42d058b8c1e1eaea03de954dd69f40dcf60ff171421c2add1e52185484a63be7fff05e2bfcb8d50fa298ff9f1db62dff10a4cb975d28d903c70b34dfe0e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\libcrypto-1_1.dll

Filesize
735KB

MD5
dfb4e027ca2a25250ca39392bedf33f3

SHA1
a82e9947aa2ede6773522758382c72fb26b026a5

SHA256
47fe61d2c06325cdf638b9d4b751a1f028c796a18b55bd07ef7578f028077eb8

SHA512
e72bd597fcc6fb01d3849c9f792e6046b1efdc2a8d61339cc3432826c3eb9fac158d03005daadb366617b05d778689330e01278caece037fa84ed9ac6118dc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\libffi-7.dll

Filesize
22KB

MD5
bd6cae5d2914cbd29080c3f37293c944

SHA1
69254f47b2cb0c319dde36f79561dc1bd11aa66d

SHA256
0307d65c5ff0f171f99e26cde1aee5019361be7d4cd72603880ffec3d5e7ce56

SHA512
c1d052ce66331981f8e73fb862cbbd80e20bd2808ba52174d64e8bef6008bca33e71f63d1f36d493da841a254c57e8f17851252fa5073fc68fe0ea91a48f782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\libssl-1_1.dll

Filesize
165KB

MD5
a872be59b61ab012c85c108582230fd2

SHA1
0e91ab548da481ea497838f89aecc0a948ce72f8

SHA256
c7445a62a7e884d8c1140c51e321b5b03334d87f4f5d9cd6006cdfa10e02bb6a

SHA512
3f3cdbc4fbfb551a9e7aff3c7d7a34d46cabb90ca8c7e4794d4d84d178ee4fe1a4f28a606002a995e717391b8317be905e599217b65013dc27266c219f1c71be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\python38.dll

Filesize
1.2MB

MD5
4a8154061167ba8b8185219b64ef53b9

SHA1
e257578c2b7bcb6c69402c1abe64a3c9a614fd83

SHA256
cd90fef028747cabee6300bb8661be54933d58ca3800bb7e0349ab7ffee25866

SHA512
a583b03644e81114b82452bdca3a1ecf65d13b22e74c6f51539ab158249ae10f77b247b2bfda79a70678c05db8f5ff765e1fb6788cf89d4a8f9750db71d81ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\select.pyd

Filesize
19KB

MD5
99f9d89add39c6e589d5d4c076e12ca6

SHA1
5a370cb3295fd5e72023ec844a347a9b47640c2b

SHA256
dc95c6e11e197545ce40a56f102c380cfa36d3181497074313c19e2876180fce

SHA512
7b991937d3f14a07d0ce78c561d891d605f61c6169be99bd39cf9d1550ad38459d54602947533678afbc41d58559299bed63c065a07ab0563636b807b0629b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\unicodedata.pyd

Filesize
277KB

MD5
b25cdf18204d4b6b76d9894b36113e64

SHA1
e74fa6bed5881337321771f78dcd118f8448eb5d

SHA256
d09e4fe7e7a39dcb7066ad22072a36100405a22f1c716f46499f0f78d96116ae

SHA512
016a0a538a85fbdae09e0dc31339ace1262e9c237804a0758b4157c48a831fa3f7b65e0d616992d442378c0986ff0d373e6bffa8b9bb84d5995fbb4633ac6ece

Download Submit
memory/3232-50-0x00000000750F0000-0x0000000075181000-memory.dmp

Filesize
580KB

Download
memory/3232-70-0x00000000750F0000-0x0000000075181000-memory.dmp

Filesize
580KB

Download
memory/3232-35-0x0000000075480000-0x0000000075496000-memory.dmp

Filesize
88KB

Download
memory/3232-48-0x0000000075190000-0x00000000751BB000-memory.dmp

Filesize
172KB

Download
memory/3232-32-0x00000000754A0000-0x00000000754AC000-memory.dmp

Filesize
48KB

Download
memory/3232-42-0x0000000075420000-0x000000007542F000-memory.dmp

Filesize
60KB

Download
memory/3232-30-0x00000000754B0000-0x00000000754D3000-memory.dmp

Filesize
140KB

Download
memory/3232-54-0x00000000750D0000-0x00000000750E9000-memory.dmp

Filesize
100KB

Download
memory/3232-23-0x0000000075570000-0x000000007598E000-memory.dmp

Filesize
4.1MB

Download
memory/3232-56-0x0000000075570000-0x000000007598E000-memory.dmp

Filesize
4.1MB

Download
memory/3232-57-0x00000000750A0000-0x00000000750CB000-memory.dmp

Filesize
172KB

Download
memory/3232-38-0x0000000075430000-0x000000007543C000-memory.dmp

Filesize
48KB

Download
memory/3232-44-0x00000000751C0000-0x0000000075412000-memory.dmp

Filesize
2.3MB

Download
memory/3232-60-0x00000000754B0000-0x00000000754D3000-memory.dmp

Filesize
140KB

Download
memory/3232-68-0x00000000751C0000-0x0000000075412000-memory.dmp

Filesize
2.3MB

Download
memory/3232-63-0x00000000754B0000-0x00000000754D3000-memory.dmp

Filesize
140KB

Download
memory/3232-64-0x00000000754A0000-0x00000000754AC000-memory.dmp

Filesize
48KB

Download
memory/3232-65-0x0000000075480000-0x0000000075496000-memory.dmp

Filesize
88KB

Download
memory/3232-62-0x0000000075570000-0x000000007598E000-memory.dmp

Filesize
4.1MB

Download
memory/3232-67-0x0000000075420000-0x000000007542F000-memory.dmp

Filesize
60KB

Download
memory/3232-66-0x0000000075430000-0x000000007543C000-memory.dmp

Filesize
48KB

Download
memory/3232-69-0x0000000075190000-0x00000000751BB000-memory.dmp

Filesize
172KB

Download
memory/3232-61-0x0000000074F80000-0x000000007508F000-memory.dmp

Filesize
1.1MB

Download
memory/3232-71-0x00000000750D0000-0x00000000750E9000-memory.dmp

Filesize
100KB

Download
memory/3232-72-0x00000000750A0000-0x00000000750CB000-memory.dmp

Filesize
172KB

Download
memory/3232-73-0x0000000074F80000-0x000000007508F000-memory.dmp

Filesize
1.1MB

Download